Updates from: 04/02/2024 01:16:16
Service Microsoft Docs article Related commit history on GitHub Change details
SharePoint Change Site Address https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/change-site-address.md
You can change only the address of the site within the URL, for example:
https://<i></i>contoso.sharepoint.<i></i>com/sites/*project-x* to
-https://<i></i>contoso.sharepoint.<i></i>com/sites/*project-y*
+https://<i></i>contoso.sharepoint.<i></i>com/sites/*project-y*
You can't move the site from "/sites" to "/teams." For info about changing your SharePoint domain name, see [Change your SharePoint domain name](change-your-sharepoint-domain-name.md).
-It can take about 10 minutes to change the site address (depending on the size of the site), and the site is read-only during this time. We recommend changing addresses during times when site usage is low.
+It can take about 10 minutes to change the site address (depending on the size of the site), and the site is read-only during this time. We recommend changing addresses during times when site usage is low.
-You can change the address of up to 100 sites at a time. To change another site address, wait for ongoing changes to finish.
+You can change the address of up to 100 sites at a time. To change another site address, wait for ongoing changes to finish.
> [!NOTE] > If you need to revert a site address change, follow the steps in [Revert a site address change](#revert-a-site-address-change).
Before you change the address of a site, it's important to communicate the chang
- The planned date of the change - The planned URL - Users should close their files and not make edits during the address change-- Users should check the site recycle bin to make sure it contains no files they want to keep
+- Users should check the site recycle bin to make sure it contains no files they want to keep
- File permissions and sharing stay the same ## Change a site address in the new SharePoint admin center
Before you change the address of a site, it's important to communicate the chang
> [!NOTE] > You can't change the address of hub sites, sites that are locked or on hold, Project Web App (PWA) sites, or sites that have BCS connections.
- >
- > When you change a site address, we create a redirect at the previous address. If you want to reuse the previous address, you need to delete the redirect. [Learn how](manage-site-redirects.md)
+ >
+ > When you change a site address, we create a redirect at the previous address. If you want to reuse the previous address, you need to delete the redirect. [Learn how](manage-site-redirects.md)
## Change site addresses by using Microsoft PowerShell
Before you change the address of a site, it's important to communicate the chang
## Effects of changing a site address While the change is in progress, the site is set to read-only, and a redirect is created. After the change is complete, users are redirected to the new URL if they've saved the site as a favorite, or if they select a link to the site.
-
+ **Apps**<br> If apps in your organization refer to the site's URL, you might need to republish the apps when you change the site's address. **Custom Forms Created in Power Apps**<br>
-You need to recreate the Custom Form after the site address change.
+You need to recreate the Custom Form after the site address change.
**Hub sites**<br>
-If the site is associated with a hub, it must be reassociated after the site address is changed.
+If the site is associated with a hub, it must be reassociated after the site address is changed.
**InfoPath forms**<br> InfoPath forms that refer to URLs might not work after the site address is changed.
InfoPath forms that refer to URLs might not work after the site address is chang
**List View web part**<br> If a List View web part on a page is scoped to a specific folder in that list, the web part might display an error after the site URL is changed. To fix this issue, either edit the web part and reset the folder path or remove the web part from the page, and then add it again.
-**Microsoft Forms**<br>
+**Microsoft Forms**
If the site is a Microsoft 365 group-connected site that has forms in Microsoft Forms, any File Upload questions in forms break. To fix this issue, recreate the file upload questions to allow responders to upload files again.
-**OneNote**<br>
+**OneNote**
If users have a notebook open during the site address change, they see a notebook sync error. After the address is changed, the following OneNote apps will automatically detect and seamlessly sync notebooks to the new site URL: - OneNote desktop app ΓÇô Version 16.0.8326.2096 and later-- OneNote for Windows 10 ΓÇô Version 16.0.8431.1006 and later -- OneNote mobile app ΓÇô Version 16.0.8431.1011 and later
+- OneNote for Windows 10 ΓÇô Version 16.0.8431.1006 and later
+- OneNote mobile app ΓÇô Version 16.0.8431.1011 and later
Users don't need to sign in again or take any other action.
-**Permissions**<br>
+**Permissions**
People who have permission to access the site can access the site during and after the site address change.
-**Recent lists inside Office apps**<br>
+**Recent lists inside Office apps**
The Word, Excel, and PowerPoint desktop apps and apps for the web will show the new URL after the change. **Recycle bin** Files in the recycle bin will be restorable as per the usual deletion timeframe.
-**SharePoint mobile apps for Android and iOS**<br>
+**SharePoint mobile apps for Android and iOS**
The SharePoint mobile apps detect the site's new URL. Make sure that users have updated their apps to the latest version.
-**SharePoint web parts**<br>
-Any embedded URLs in any SharePoint web parts (News, List, etc.) won't be updated and may break. This includes page thumbnail images in news posts existing on the site. After the site address is changed, you might need to update individual web parts to use the new URL.
-
-**SharePoint workflow 2013**<br>
-SharePoint workflow 2013 will need to be republished after the site address is changed.
+**SharePoint web parts**
+Any embedded URLs in any SharePoint web parts (News, List, etc.) won't be updated and may break. This includes page thumbnail images in news posts existing on the site. After the site address is changed, you might need to update individual web parts to use the new URL.
-**Sharing links**<br>
+**Sharing links**
After the site address is changed, sharing links will automatically redirect to the new URL.
-**Site customizations and embedded code**<br>
+**Site customizations and embedded code**
Site customizations and embedded code that refer to URLs might need to be fixed after the site address change. Changing the site address preserves data stored in SharePoint but won't change URL dependencies in custom solutions.
-**Synced locations**<br>
-The OneDrive sync app will automatically detect and seamlessly transfer syncing to the new site URL after the site address has been changed. Users don't need to sign in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.)
-If a user updates a file while the site address is being changed, they see a message that file uploads are pending during the change.
+**Synced locations**
+The OneDrive sync app will automatically detect and seamlessly transfer syncing to the new site URL after the site address has been changed. Users don't need to sign in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.)
+If a user updates a file while the site address is being changed, they see a message that file uploads are pending during the change.
-**Microsoft 365 groups**<br>
-The email address of the group won't be renamed. The group name is updated only if the site name is updated during the rename process.
+**Microsoft 365 groups**
+The email address of the group won't be renamed. The group name is updated only if the site name is updated during the rename process.
-**Teams (for Microsoft 365 group-connected sites)**<br>
+**Teams (for Microsoft 365 group-connected sites)**
When the site address change is complete, users are able to access their SharePoint files in the Teams app, with the following limitations. |Functionality |Limitation |
When the site address change is complete, users are able to access their SharePo
If you need to change the address of a site that was previously changed, we recommend not renaming the site again. This can cause issues if you later want to use the current address for another site. Instead, we recommend returning the site back to its original address. To do so, you use an additional site rename and delete certain redirect sites. [Learn how to delete redirect sites](manage-site-redirects.md). For a case where you changed https://<i></i>contoso.sharepoint.<i></i>com/sites/*project-x* to https://<i></i>contoso.sharepoint.<i></i>com/sites/*project-y* and want to revert back, the steps to follow are:+ 1. Delete the redirect from *project-x* to *project-y* by using the [Remove-SPOSite cmdlet](/powershell/module/sharepoint-online/remove-sposite) on the *project-x* address. 2. Initiate a new site address change from *project-y* to *project-x*. 3. Delete the redirect from *project-y* to *project-x* by using the [Remove-SPOSite cmdlet](/powershell/module/sharepoint-online/remove-sposite) on the *project-y* address.
SharePoint Intranet Governance https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/intranet-governance.md
At a minimum, consider each of these elements as part of your intranet governanc
### Vision The vision statement describes, at a high level, what you want to achieve with your intranet - essentially how the solution delivers value to the organization and to each individual employee. Use the intranet vision statement to guide your governance plan. Be sure that the vision is clear because the degree of formality and the depth to which you need to document the governance plan should align with the outcomes you want to achieve.
-A clear vision statement provides critical guidance to the inevitable decision tradeoffs you need to make for your governance plan. For example, you probably don't want an uncontrolled environment with unstructured and ΓÇ£unfindableΓÇ¥ content if your intranet vision is to provide a key source of organizational knowledge and information. In this case, the unstructured environment with no controls is unpredictable and will likely misalign with desired business outcomes. In a different scenario, some users may have a goal to create an experimental place where new site owners can create ΓÇ£practiceΓÇ¥ sites to try out new skills or test alternative approaches to solve specific business problems. For this use case, an overly restrictive governance plan may not make much sense. You may determine that you donΓÇÖt want to support an unlimited number of ΓÇ£practiceΓÇ¥ sites, so you may want a governance policy that says that all ΓÇ£testΓÇ¥ sites are deleted after a specific period of time. But, for these practice or test sites, the unstructured environment is fine. You can only know what is level of governance is ideal because you have a clear vision. The vision provides a framework for both the context and your investment in governance. Once you're clear about your intranet vision, your governance team can use that vision to guide the governance decisions.
+
+A clear vision statement provides critical guidance to the inevitable decision tradeoffs you need to make for your governance plan. For example, you probably don't want a completely uncontrolled environment with unstructured and ΓÇ£unfindableΓÇ¥ content if your intranet vision is to provide a key source of organizational knowledge and information. In this case, the unstructured environment with no controls is unpredictable and will likely misalign with desired business outcomes. In a different scenario, some users may have a goal to create an experimental place where new site owners can create ΓÇ£practiceΓÇ¥ sites to try out new skills or test alternative approaches to solve specific business problems. For this use case, an overly restrictive governance plan may not make much sense. You may determine that you donΓÇÖt want to support an unlimited number of ΓÇ£practiceΓÇ¥ sites, so you may want a governance policy that says that all ΓÇ£testΓÇ¥ sites are deleted after a specific period of time. But, for these practice or test sites, the unstructured environment is fine. You can only know what is level of governance is ideal because you have a clear vision. The vision provides a framework for both the context and your investment in governance. Once you're clear about your intranet vision, your governance team can use that vision to guide the governance decisions.
+ Your intranet vision includes defining ownership. There's no right answer about which organizational entity should ΓÇ£ownΓÇ¥ the intranet ΓÇô and often, intranet ownership is shared by more than one organizational unit. However, most intranet professionals agree that there's one organization that shouldn't be the exclusive intranet owner ΓÇô IT. IT can't build an intranet for the business. IT can only build an intranet with the business and with a commitment from the business. Successful intranets have a champion and owner from the business, ideally at an executive level.
Your intranet vision includes defining ownership. There's no right answer about
### Policies and guidelines Policies define the rules and guidelines for your intranet. From a governance perspective, policies are usually driven by statutory, regulatory, or organizational requirements. Users are expected to meet policies without deviation. If your organization is subject to regulatory oversight, be sure you can enforce your policies as a failure to do so may target your organization as being ΓÇ£non-compliant.ΓÇ¥ Guidelines are usually established to encourage consistent practices. In many cases, guidelines are more recommendations, but policies are requirements. + For example, consider the site ownership. A policy might state, ΓÇ£All SharePoint sites have a primary and secondary contact responsible for the site and its content.ΓÇ¥ A related guideline might state, ΓÇ£The site contact is listed in a web part in the lower left-hand corner of the site home page.ΓÇ¥ The guideline might become a policy for major functional sites but remain a guideline or recommendation for topic-specific microsites. Another example of a policy is whether people outside the organization can have access to the intranet as a whole or only to individual sites. The policy might have a default value of no external access but there could be a process that allows for exceptions to allow specific partner users to have access to some intranet sites. + Each organization has its own set of policies and guidelines. General topics should include content oversight, site design, branding and user experience, site management, and security. #### Steps to ensure success:
You can easily [hide the option to create a new site](./manage-site-creation.md)
If you enable self-service site provisioning, you want to consider providing site designs that embed your best practices so that new site owners start with a ΓÇ£templateΓÇ¥ that aligns to your governance guidelines. You'll also want to track new sites in the Admin Center so that you can follow up with new site owners to provide the information that they need to be successful after the site has been created.
-In addition to providing a process to provision new sites, you'll also want to think about a process to provision new [hubs](./planning-hub-sites.md) and associated hubs. Hubs must be provisioned by the Global Administrator or SharePoint Administrator so you'll need to think about how you'll plan and govern the creation of new hubs.
+
+In addition to providing a process to provision new sites, you'll also want to think about a process to provision new [hubs](./planning-hub-sites.md) and associated hubs. Hubs must be provisioned by the Global Administrator or SharePoint Administrator so you need to think about how you'll plan and govern the creation of new hubs.
+ When an intranet site is no longer needed, there may be cases where your records management process prohibits deletion of the site and/or content. Another key governance decision is planning how you'll delete or decommission intranet sites in the context of both legal holds and records management requirements. Learn more about [Microsoft Purview compliance documentation](/microsoft-365/compliance), including [records management](/microsoft-365/compliance/records-management) and [eDiscovery (Premium)](/microsoft-365/compliance/overview-ediscovery-20).
Intranet governance should cover several key aspects of your information archite
- **Navigation architecture** ΓÇô how your sites and hubs are associated to support users who navigate or browse for content. - **Page architecture** ΓÇô guidelines for pages, especially site home pages, to help create consistent experiences across all intranet sites. - **Metadata architecture** ΓÇô columns and content type planning to support consistent approaches for organizing content and pages.-- **Search experiences** ΓÇô understanding how users find content when they donΓÇÖt know where it might be in the architecture and how they'll discover content. You can help users discover content and improve search outcomes by using several features in search, including acronyms, bookmarks, Q&A, floor plans, and locations. For more information, learn how to [make content easy to find](/microsoftsearch/make-content-easy-to-find) and how [search experiences](./get-started-with-modern-search-experience.md) work in SharePoint. Your governance plan should include how you'll support and manage the creation of the search discovery attributes.-
+- **Search experiences** ΓÇô understanding how users find content when they donΓÇÖt know where it might be in the architecture and how they discover content. You can help users discover content and improve search outcomes by using several features in search, including acronyms, bookmarks, Q&A, floor plans, and locations. For more information, learn how to [make content easy to find](/microsoftsearch/make-content-easy-to-find) and how [search experiences](./get-started-with-modern-search-experience.md) work in SharePoint. Your governance plan should include how you'll support and manage the creation of the search discovery attributes.
### Branding Brand standards help to define the look and feel of your intranet. These standards are reflected in site and page designs. Your brand standards can include standards for the use of imagery, including requirements to use only brand-compliant images or icons from an [organization assets library](./organization-assets-library.md) on intranet pages, and requirements to use only brand-compliant [custom themes](/sharepoint/dev/declarative-customization/site-theming/sharepoint-site-theming-overview) for sites. Your standards might prescribe a specific theme for different types of sites or sites with different access levels. Your standards might also include content authoring standards such as tone of voice, spelling conventions, [accessibility standards](https://www.microsoft.com/accessibility/office?activetab=pivot_1:primaryr2), and other guidelines that support your organizational brand. Learn more about [branding in SharePoint](./branding-sharepoint-online-sites-modern-experience.md).
Your governance plan should include these key content management concepts:
- Do you have requirements to implement [records retention policies](/microsoft-365/compliance/records-management) on some or all content to prevent accidental deletion? ### Security and information management
-Your governance plan shouldn't only include what *should* be posted on the intranet ΓÇô but it should also include guidelines for content that *shouldn't* be posted on the intranet. You may be able to enforce some policies using [automated information protection](/microsoft-365/compliance/protect-information) capabilities, but you'll want to provide training and guidance for site owners and content authors to ensure that they understand their responsibilities when it comes to security and information management for both sites and content.
+
+Your governance plan shouldn't only include what *should* be posted on the intranet ΓÇô but it should also include guidelines for content that *shouldn't* be posted on the intranet. You may be able to enforce some policies using [automated information protection](/microsoft-365/compliance/protect-information) capabilities, but you want to provide training and guidance for site owners and content authors to ensure that they understand their responsibilities when it comes to security and information management for both sites and content.
### Roles and responsibilities Roles and responsibilities describe how each employee as an individual or in a role (such as Site Owner) is responsible for ensuring success of the intranet. Documenting roles and responsibilities is a critical aspect of your intranet governance plan. To ensure that intranet responsibilities are treated seriously, it's helpful to partner with your human resources organization to ensure that intranet responsibilities are part of job descriptions or performance goals.
-It ΓÇ£takes a villageΓÇ¥ to successfully support an intranet in any organization. You'll need a team - and the team may include specialized roles that you use on an occasional basis, such as developers to create a custom web part, permanent roles such as site owners for whom intranet site management is a small part of their job, and other permanent roles for people whose entire job responsibilities involve intranet management. Some organizations find it helpful to organize their intranet resources in a center of excellence, which may include full time members of the IT staff supplemented with virtual members who work in different business groups around the organization. Others extend their centralized staff to include ΓÇ£[intranet champions](https://www.microsoft.com/microsoft-365/success/champions),ΓÇ¥ who extend the support team into various departments and geographic locations by volunteering to help ensure intranet success.
+
+It ΓÇ£takes a villageΓÇ¥ to successfully support an intranet in any organization. You need a team - and the team may include specialized roles that you use on an occasional basis, such as developers to create a custom web part, permanent roles such as site owners for whom intranet site management is a small part of their job, and other permanent roles for people whose entire job responsibilities involve intranet management. Some organizations find it helpful to organize their intranet resources in a center of excellence, which may include full time members of the IT staff supplemented with virtual members who work in different business groups around the organization. Others extend their centralized staff to include ΓÇ£[intranet champions](https://www.microsoft.com/microsoft-365/success/champions),ΓÇ¥ who extend the support team into various departments and geographic locations by volunteering to help ensure intranet success.
No matter who is in your ΓÇ£village,ΓÇ¥ it's critically important that everyone understands their role and for which aspects of the intranet they're responsible. Figure 2 shows an example of a role and responsibilities description for an intranet Site Owner.
SharePoint Intranet Roles Tasks https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/intranet-roles-tasks.md
As you plan and implement your intranet, keep in mind these key success factors:
- For your intranet, as a whole: - Have a sponsor for each initiative and an executive sponsor from the business for the intranet as a whole. - Ensure that your intranet goals are directly tied to key business goals.
- - Get a core team together to think about governance ΓÇö make sure you align your governance decisions to business goals.
+ - Get a core team together to think about governanceΓÇömake sure you align your governance decisions to business goals.
- Align your intranet with your organization brand and culture.
- - Don't assume you have to launch with a "big bang" ΓÇö align communications and training with your launch plan.
+ - Don't assume you have to launch with a "big bang"ΓÇöalign communications and training with your launch plan.
- For each initiative:
- - Gather outcomes, not requirements ΓÇö be sure to talk to site users, not just owners.
- - Design to align to your organization standards ΓÇö but allow the site "story" to dictate the navigation and page layouts.
+ - Gather outcomes, not requirementsΓÇöbe sure to talk to site users, not just owners.
+ - Design to align to your organization standardsΓÇöbut allow the site "story" to dictate the navigation and page layouts.
- Establish success goals for each site and review them regularly.
- - Test your proposed navigation with site visitors ΓÇö make sure that visitors can easily get to their top tasks.
+ - Test your proposed navigation with site visitorsΓÇömake sure that visitors can easily get to their top tasks.
### Key tasks
As you plan and implement your intranet, keep in mind these key success factors:
A critical part of your SharePoint intranet is your site architecture. By using a series of [communication sites](https://support.office.com/article/94A33429-E580-45C3-A090-5512A8070732) and [hubs](planning-hub-sites.md), you can create an intuitive intranet with common navigation across related sites and an easy-to-manage permissions structure. For a detailed look at site navigation in SharePoint, see [Planning navigation for the modern SharePoint experience](./plan-navigation-modern-experience.md).
-*Start by* ΓÇö Developing an understanding about what you need your intranet to accomplish and start organizing content assets to align with key outcome goals. Organize depending on the needs of the business ΓÇö by region, department, or function ΓÇö and by the topics that your users care about.
+*Start byΓÇöDeveloping an understanding about what you need your intranet to accomplish and start organizing content assets to align with key outcome goals. Organize depending on the needs of the businessΓÇöby region, department, or functionΓÇöand by the topics that your users care about.
*You know you're done when* ΓÇö Business owners and users confirm they can find and have access to the content that makes their jobs more productive. + #### Brand your intranet Branding provides a way to align your intranet with your organizational culture. With SharePoint, you can [add branding to your SharePoint site](./branding-sharepoint-online-sites-modern-experience.md), and also [customize the Microsoft 365 theme for your organization](/office365/admin/setup/customize-your-organization-theme).
-*Start by* ΓÇö Answer, do you need a consistent brand across all sites or will different divisions, departments, or groups in your organization have their own look and feel? Then, collect approved brand assets like brand colors, logos, and images depending on your organization's branding requirements.
+*Start byΓÇöAnswer, do you need a consistent brand across all sites or will different divisions, departments, or groups in your organization have their own look and feel? Then, collect approved brand assets like brand colors, logos, and images depending on your organization's branding requirements.
*You know you're done when* ΓÇö You've determined the end-to-end look of the intranet from the home page to hubs to individual sites. ## IT pros and admins
-IT Pros and admins implement the needed platform integration steps needed by your business owners for their intranet portals ΓÇö such as with databases or line-of-business applications. This may include content migration from existing systems. They also work with other stakeholders and the business to determine a governance strategy for the intranet and train people in the organization to use SharePoint and other tools to manage the intranet.
+IT Pros and admins implement the needed platform integration steps needed by your business owners for their intranet portalsΓÇösuch as with databases or line-of-business applications. This may include content migration from existing systems. They also work with other stakeholders and the business to determine a governance strategy for the intranet and train people in the organization to use SharePoint and other tools to manage the intranet.
As you plan and implement your intranet, keep in mind these key success factors:
As you plan and implement your intranet, keep in mind these key success factors:
#### Plan and align the governance strategy
-Governance is the set of policies, roles, and processes that control how your organization's business divisions and IT teams work together to achieve its goal ΓÇö ensuring organization content and communications are secure and viewers benefit from a consistent experience. Every organization has unique needs and goals that influence its approach to governance. Some details to consider when planning your [governance strategy](./governance-overview.md): naming conventions, guest access, classification of sites, groups, and files.
+Governance is the set of policies, roles, and processes that control how your organization's business divisions and IT teams work together to achieve its goalΓÇöensuring organization content and communications are secure and viewers benefit from a consistent experience. Every organization has unique needs and goals that influence its approach to governance. Some details to consider when planning your [governance strategy](./governance-overview.md): naming conventions, guest access, classification of sites, groups, and files.
*Start by* ΓÇö Understanding the rules and requirements of your organization, in combination with the needs of business owners and site owners. Then, develop a plan alongside IT, HR, and senior leadership that allows employees to maximize the value of SharePoint with minimal oversight in a way that's compliant.
One of the largest tasks in creating a new intranet site is migrating your exist
Look for opportunities to eliminate prior versions of documents that you no longer need. If you migrate files ending .v1, .v2, and so on, you create confusion for your users who won't be able to rely on search to consistently find the latest version of documents.
-Train your users to take advantage of SharePoint's automated versioning ΓÇö and remove version IDs and dates from file names wherever possible, migrating only the latest and most accurate version. Better still, see if you can convert legacy documents to modern pages to create more engaging and easier to consume content. You'll get better search experiences and achieve higher user satisfaction and easier maintenance by removing content that's no longer needed prior to migration.
+Train your users to take advantage of SharePoint's automated versioning ΓÇö and remove version IDs and dates from file names wherever possible, migrating only the latest and most accurate version. Better still, see if you can convert legacy documents to modern pages to create more engaging and easier to consume content. You get better search experiences and achieve higher user satisfaction and easier maintenance by removing content that's no longer needed prior to migration.
[Learn about options for migrating from file shares, SharePoint Server, and other cloud providers](/sharepointmigration/migrate-to-sharepoint-online).
To post important or interesting stories, announcements, people news, status upd
To align your organization's branding requirements, you can [change the look of your site](https://support.office.com/article/06bbadc3-6b04-4a60-9d14-894f6a170818).
-*Start by* ΓÇö Prioritizing business objectives, and then decide the type of sites and web parts that will be needed initially.
+*Start by* ΓÇö Prioritizing business objectives, and then decide the type of sites and web parts that are needed initially.
+ *You know you're done when* ΓÇö Business and site owners have dedicated areas in SharePoint that can be owned and maintained with little oversight. + ## Content authors Content authors are the people who create content on sites. Content authors can take on many responsibilities such as creating and publishing news, creating topic-specific pages, or serving as subject matter experts and thought leaders for special projects and initiatives. Content authors should get familiar with [SharePoint design fundamentals](https://support.office.com/article/Plan-your-SharePoint-site-21761aac-f7f7-4499-b0ca-cf283477c32f).
SharePoint Intranet Team Overview https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/intranet-team-overview.md
Previously updated : 06/29/2021 Last updated : 03/21/2024 Title: "Intelligent intranet introduction"
Whether you're the organization intranet owners, an IT Professional or administr
**Roadmap contents**: -- Introduction to key success factors and considerations
+- Introduction to key success factors and considerations
- Review of the different [roles and tasks](intranet-roles-tasks.md) - How to [get started](intranet-get-started.md)
Whether you're the organization intranet owners, an IT Professional or administr
Intranets are a constant work in progress and are never really considered done. Make sure you have a plan to keep your content relevant, otherwise your intranet starts losing value on the day that you launch. Celebrate your initial launch, plan to monitor and maintain your intranet and its content over time as the organization changes and business goals evolve. + ## How to think about an intelligent vs traditional intranet design The new, modern experience in SharePoint is designed to be compelling, flexible, and more performant. The [modern experience](trad-vs-modern-intranet.md) makes it easier for anyone to create beautiful, dynamic sites and pages that are accessible and mobile-ready. Modern SharePoint supports intelligent workplaces ΓÇö those that apply the collective knowledge of current users, share and collaborate easily, and engage audiences with targeted content and news.
Over the years, we have learned about what makes an intranet successful. These f
Review the different [roles and responsibilities](intranet-roles-tasks.md) when creating your intelligent intranet.
-### Related topics
+### Related articles
[Create and launch healthy portals](/sharepoint/portal-health) [Ways to work with SharePoint](https://support.office.com/article/ways-to-work-with-sharepoint-17688238-3285-47cf-b8c7-cba3764acbdf) [Guide to the Modern experience in SharePoint](./guide-to-sharepoint-modern-experience.md)----
SharePoint Leadership Connection https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/leadership-connection.md
Create and produce live events for people in the leadership Viva Engage network,
![Screenshot of a woman presenting in a live event in Teams.](media/lc-event-questions.png)
-There are two ways [live events in Viva Engage can be produced](/viva/engage/organize-live-event). The requirements depend on which video production methods you intend to use in your organization. Learn more about which method of live event you should use. For live events that only require visual and audio support, consider [hosting a live event using Viva Engage in Teams](https://support.microsoft.com/office/schedule-and-produce-a-live-event-in-new-yammer-using-teams-d891bff6-eda2-493f-8b0d-d87932e7937d).
+
+There are two ways [live events in Viva Engage can be produced](https://support.microsoft.com/office/organize-a-live-event-in-viva-engage-7338782a-4f0b-4fd0-a6c3-33625906ead1). The requirements depend on which video production methods you intend to use in your organization. Learn more about which method of live event you should use. For live events that only require visual and audio support, consider [hosting a live event using Viva Engage in Teams](https://support.microsoft.com/office/schedule-and-produce-a-live-event-in-new-yammer-using-teams-d891bff6-eda2-493f-8b0d-d87932e7937d).
+ Once you've determined the right method for your live event, get started organizing and scheduling the event.
SharePoint Lists Custom Template https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/lists-custom-template.md
When users in your organization create a list (in SharePoint, Teams, or the List
## Scope the permissions to a custom template + By default, the custom list template is available to everyone in your organization. If you want, you can limit access to specific users or a security group. The following example shows how to grant an individual user view rights to a template. + ```PowerShell Grant-SPOSiteDesignRights -Identity <List design ID to apply rights to>
SharePoint Make Pages Load Faster https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/make-pages-load-faster.md
description: "Configure the Content Search Web Part to cache search results for
# Make pages load faster with caching in the Content Search Web Part
-[Configure a Content Search Web Part in SharePoint](https://support.office.com/article/0dc16de1-dbe4-462b-babb-bf8338c36c9a) (CSWP) offers numerous flexibility for configuring the query it contains. However, if you configure the Web Part to use a complex query, or if you have many CSWPs on a page, the page can take longer time to load. To make the page load faster, you can configure the CSWP to cache search results for users who belong to the same AD security groups. Because it's faster to look up search results in the cache than in the search index, the page loads faster.
+
+[Configure a Content Search Web Part in SharePoint](https://support.office.com/article/0dc16de1-dbe4-462b-babb-bf8338c36c9a) (CSWP) offers much flexibility for configuring the query it contains. However, if you configure the Web Part to use a complex query, or if you have many CSWPs on a page, the page can take longer time to load. To make the page load faster, you can configure the CSWP to cache search results for users who belong to the same AD security groups. Because it's faster to look up search results in the cache than in the search index, the page loads faster.
+ When you have configured a CSWP to use caching, it will first look in the cache for existing search results that match the query and the AD security group. If it doesn't find any search results in the cache, it looks in the search index.
The queries in **CSWP 3 and 4** are configured to **show different results to di
**CSWP 3** shows one set of results to people who work in the HR department, and another set of results to people who work in the Sales department. In most cases, you can make the page load faster by using caching in this Web Part. However, if you have many small departments with only a few employees in each department, the number of search results that will be stored in the cache could overload the cache and actually increase the page load time. + **CSWP 4** shows which documents the logged-in user has worked on recently. You shouldn't use caching in this Web Part. Because the query is tailored to each user, all individual search results are stored in the cache. This overloads the cache and might increase the page load time.+ ## How does caching make web pages load faster? <a name="BKMK_HoCachingWorks"> </a>
SharePoint Manage Automated Form Processing https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-automated-form-processing.md
Last updated 04/19/2020 Title: "Manage automated document processing" --++ recommendations: true audience: Admin
Admins can show or hide [automated document processing options in SharePoint document libraries](https://support.office.com/article/form-processing-in-sharepoint-cecf236f-224d-4630-9082-b5c79e0cd59a) through the admin center.
-* If [AI Builder](/ai-builder/overview) document processing is not enabled, the freeform selection method and layout method will not be visible to users on the **Options for model creation** page.
+* If [AI Builder](/ai-builder/overview) document processing isn't enabled, the freeform selection method and layout method won't be visible to users on the **Options for model creation** page.
* Creating a [document processing AI model](/ai-builder/form-processing-model-overview) from SharePoint applies the model to the library it was created in. * You no longer need to configure the flows to process existing files.
- * The information will be available in the values of the columns in the library.
-* The [default environment for the Power Platform](/power-platform/admin/environments-overview#the-default-environment) will be used for all document processing models built through these options.
+ * The information is available in the values of the columns in the library.
+* The [default environment for the Power Platform](/power-platform/admin/environments-overview#the-default-environment) is used for all document processing models built through these options.
SharePoint Manage Business Connectivity Service Applications https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-business-connectivity-service-applications.md
Last updated 07/11/2018 Title: Manage Business Connectivity Service Applications --++ recommendations: true audience: Admin
SharePoint Manage Geo Locations https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-geo-locations.md
Title: "Manage geo locations in the new SharePoint admin center"
recommendations: true--++ audience: Admin f1.keywords: - CSH
SharePoint Manage Lock Status https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-lock-status.md
Last updated 09/10/2020 Title: "Lock and unlock sites"--++ recommendations: true audience: Admin
SharePoint Manage Query Rules https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-query-rules.md
Last updated 07/11/2018 Title: "Manage query rules" --++ recommendations: true audience: Admin
SharePoint Manage Query Suggestions https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-query-suggestions.md
Last updated 07/11/2018 Title: "Customize query suggestions in SharePoint search" --++ recommendations: true audience: Admin
SharePoint Manage Result Sources https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-result-sources.md
Last updated 07/11/2018 Title: "Manage result sources" --++ recommendations: true audience: End User
SharePoint Manage Result Types https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-result-types.md
Title: "Manage result types" --++ recommendations: true Last updated 6/29/2018
SharePoint Manage Search Center https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-search-center.md
Title: "Manage the Search Center in SharePoint" --++ recommendations: true Last updated 4/5/2018
SharePoint Update To Spworkflow Manager When Upgrading Farms https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/governance/update-to-spworkflow-manager-when-upgrading-farms.md
Title: "Upgrade from Workflow Manager to SharePoint Workflow Manager on a new farm" --++ Last updated 05/17/2023 audience: ITPro
Example:
- On the SPWFM server, go to Start | Run and type in "cliconfg" - On the Alias tab, select Add. - Choose TCP/IP for the Network library.
SharePoint Set Up Oidc Auth In Sharepoint Server With Adfs https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-adfs.md
description: "Learn how to set up OIDC authentication in SharePoint Server with
## Prerequisites
-When you configure with AD FS OIDC, you need the following resources to perform the configuration:
+When you configure SharePoint Server with Active Directory Federation Services (AD FS) using OpenID Connect (OIDC) authentication, you need the following resources to perform the configuration:
-1. A SharePoint Server farm.
+1. A SharePoint Server Subscription Edition farm.
2. AD FS in Windows Server 2016 or later, already created, with the public key of the AD FS signing certificate exported in a `.cer` file. This article uses the following example values for AD FS OIDC setup:
If you're setting OIDC with SharePoint Server, nbf claim must be configured in A
4. Select **Finish**. ## Step 2: Change SharePoint farm properties
+In this step, you need to modify the SharePoint Server farm properties based on the version of your SharePoint Server.
-In this step, you'll need to modify the SharePoint farm properties. Start the SharePoint Management Shell and run the following script:
+> [!Note]
+> Start the SharePoint Management Shell as a farm administrator to run the following script. Read the instructions mentioned in the following PowerShell script carefully. You will need to enter your own environment-specific values in certain places.
-> [!NOTE]
-> Read the instructions mentioned in the following PowerShell script carefully.
+- For more information on configuring SharePoint farm properties for SharePoint Server Subscription Edition Version 24H1, see [Configure SPSE Version 24H1 or higher version](#configure-sharepoint-server-subscription-edition-version-24h1-or-higher-versions).
+- For more information on configuring SharePoint farm properties for SharePoint Server Subscription Edition Version preceding 24H1, see [Configure SPSE prior to Version 24H1](#configure-sharepoint-server-subscription-edition-prior-to-version-24h1).
+
+#### Configure SharePoint Server Subscription Edition Version 24H1 or higher versions
+
+Starting with SharePoint Server Subscription Edition Version 24H1 (March 2024), you can configure SharePoint Server farm properties by employing SharePoint Certificate Management to manage the nonce cookie certificate. The nonce cookie certificate is part of the infrastructure to ensure OIDC authentication tokens are secure. Run the following script to configure:
```powershell
-# Setup farm properties to work with OIDC
-#Create a self-signed certificate in one SharePoint Server in the farm
+# Set up farm properties to work with OIDC
+
+# Create the Nonce certificate
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert"
-#if you have multiple SharePoint servers in the farm, you need to export certificate by Export-PfxCertificate and import certificate to all the SharePoint servers in the farm by Import-PfxCertificate.
+# Import certificate to Certificate Management
+$certPath = <path to save the exported cert>
+$certPassword = ConvertTo-SecureString -String <password> -Force -AsPlainText
+Export-PfxCertificate -Cert $cert -FilePath $certPath -Password $certPassword
+$nonceCert = Import-SPCertificate -Path $certPath -Password $certPassword -Store "EndEntity" -Exportable:$true
+
+$farm = Get-SPFarm
+$farm.UpdateNonceCertificate($nonceCert,$true)
+```
-#After certificate is successfully imported to SharePoint Server, we will need to grant access permission to certificate private key.
+#### Configure SharePoint Server Subscription Edition prior to Version 24H1
+```powershell
+# Set up farm properties to work with OIDC
+$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert"
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) $fileName = $rsaCert.key.UniqueName+
+# If you have multiple SharePoint servers in the farm, you need to export the certificate by Export-PfxCertificate and import the certificate to all other SharePoint servers in the farm by Import-PfxCertificate.
+
+# After the certificate is successfully imported to SharePoint Server, we will need to grant access permission to the certificate's private key.
+ $path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\RSA\MachineKeys\$fileName" $permissions = Get-Acl -Path $path
-#please replace the <web application pool account> with real application pool account of your web application
+
+# Replace the <web application pool account> with the real application pool account of your web application
$access_rule = New-Object System.Security.AccessControl.FileSystemAccessRule(<Web application pool account>, 'Read', 'None', 'None', 'Allow') $permissions.AddAccessRule($access_rule) Set-Acl -Path $path -AclObject $permissions
-#Then we update farm properties
-$f = Get-SPFarm
-$f.Farm.Properties['SP-NonceCookieCertificateThumbprint']=$cert.Thumbprint
-$f.Farm.Properties['SP-NonceCookieHMACSecretKey']='seed'
-$f.Farm.Update()
+# Update farm properties
+$farm = Get-SPFarm
+$farm.Properties['SP-NonceCookieCertificateThumbprint']=$cert.Thumbprint
+$farm.Properties['SP-NonceCookieHMACSecretKey']='seed'
+$farm.Update()
``` ## Step 3: Configure SharePoint to trust the identity providers
-In this step, you'll create a `SPTrustedTokenIssuer` that will store the configuration that SharePoint needs to trust AD FS as OIDC provider. Start the SharePoint Management Shell and run the following script to create it:
+In this step, you'll create a `SPTrustedTokenIssuer` that will store the configuration that SharePoint needs to trust AD FS as an OIDC provider. Start the SharePoint Management Shell as a farm administrator and run the following script to create it:
> [!NOTE]
-> Read the instructions mentioned in the following PowerShell script carefully.
+> Read the instructions mentioned in the following PowerShell script carefully. You will need to input environment-specific values in several places.
```powershell # Define claim types
$authendpointurl = "https://adfs.contoso.local/adfs/oauth2/authorize"
$registeredissuernameurl = "https://adfs.contoso.local/adfs" $signouturl = "https://adfs.contoso.local/adfs/oauth2/logout"
-#Please replace <Client Identifier> with the value you saved in step #3 of AD FS Setup section
-$clientIdentifier = <Client Identifier>
+# Replace <Client Identifier> with the value you saved in step #3 of AD FS Setup section
+$clientIdentifier = "<Your Client Identifier>"
# Create a new SPTrustedIdentityTokenIssuer in SharePoint New-SPTrustedIdentityTokenIssuer -Name "Contoso.local" -Description "Contoso.local" -ImportTrustCertificate $signingCert -ClaimsMappings $email -IdentifierClaim $email.InputClaimType -RegisteredIssuerName $registeredissuernameurl -AuthorizationEndPointUri $authendpointurl -SignOutUrl $signouturl -DefaultClientIdentifier $clientIdentifier ```
-Here, `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to support OIDC by using the following parameters:
+The `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to support OIDC by using the following parameters:
| Parameter | Description | ||-|
Here, `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to suppor
> > - If the AD FS signing certificate is a self-signed certificate (not recommended for security reasons). >
-> The public key of the AD FS signing certificate itself must be added to the store. Start the SharePoint Management Shell and run the following script to add the certificate:
+> The public key of the AD FS signing certificate must be added to the store. Start the SharePoint Management Shell and run the following script to add the certificate:
> > ```powershell > $rootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Data\Claims\ADFS Signing.cer")
Here, `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet is extended to suppor
## Step 4: Configure a SharePoint web application
-In this step, you'll configure a web application in SharePoint to be federated with the AD FS OIDC, using the `SPTrustedIdentityTokenIssuer` that was created in the previous step.
+In this step, you'll configure a web application in SharePoint to use AD FS OIDC authentication, using the `SPTrustedIdentityTokenIssuer` that was created in the previous step.
> [!IMPORTANT] > > - The default zone of the SharePoint web application must have Windows authentication enabled. This is required for the search crawler.
-> - SharePoint URL that will use AD FS OIDC federation must be configured with HTTPS.
+> - The SharePoint URL that will use AD FS OIDC federation must be configured with HTTPS.
-You can do this configuration either by:
+You can complete this configuration either by:
- Creating a new web application and using both Windows and AD FS OIDC authentication in the Default zone. To create a new web application, do the following:+ 1. Start the SharePoint Management Shell and run the following script to create a new `SPAuthenticationProvider`:
- ```powershell
- # This script creates a trusted authentication provider for OIDC
-
- $sptrust = Get-SPTrustedIdentityTokenIssuer "contoso.local"
- $trustedAp = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust
- ```
+ ```powershell
+ # This script creates a trusted authentication provider for OIDC
+ $sptrust = Get-SPTrustedIdentityTokenIssuer "contoso.local"
+ $trustedAp = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust
+ ```
2. Follow [Create a web application in SharePoint Server](/sharepoint/administration/create-a-web-application) to create a new web application enabling HTTPS/SSL named SharePoint - OIDC on contoso.local.+ 3. Open the SharePoint Central Administration site.
- 4. Open the web application you created and pick **contoso.local** as **Trusted Identity Provider**.
- :::image type="content" source="../media/authentication-providers-3.jpg" alt-text="Authentication Providers 3":::
+ 4. Open the web application you created, choose "Authentication Providers" in the Ribbon, click the link for the "Default" zone, and pick **contoso.local** as **Trusted Identity Provider**.
+
+ :::image type="content" source="../media/authentication-providers-3.jpg" alt-text="Authentication Providers 3":::
5. Navigate to **System Settings** > **Configure Alternate Access Mappings** > **Alternate Access Mapping Collection**.
+
6. Filter the display with the new web application and confirm that you see the following information:
- :::image type="content" source="../media/alternate-access-mapping-collection.png" alt-text="Alternate Access Mapping Collection-1":::
+ :::image type="content" source="../media/alternate-access-mapping-collection.png" alt-text="Alternate Access Mapping Collection-1":::
- Extending an existing web application to set AD FS OIDC authentication on a new zone. To extend an existing web application, do the following:
- 1. Start the SharePoint Management Shell and run the following script:
- ```powershell
- # This script creates a trusted authentication provider for OIDC
-
- $sptrust = Get-SPTrustedIdentityTokenIssuer "contoso.local"
- $ap = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust
- ```
+ 1. Start the SharePoint Management Shell and run PowerShell to extend the web application:
- 2. Open the SharePoint Central Administration site.
- 3. Open the web application you want to extend OIDC authentication to and pick **contoso.local** as **Trusted Identity Provider**.
+ **Example:**
- :::image type="content" source="../media/authentication-providers-4.jpg" alt-text="Authentication Providers 4":::
+ ```powershell
+ # Get the trusted provider
+ $sptrust = Get-SPTrustedIdentityTokenIssuer "Contoso.local"
+ $ap = New-SPAuthenticationProvider -TrustedIdentityTokenIssuer $sptrust
+ # Get the web app
+ $wa = Get-SPWebApplication http://spsites
+ # Extend the web app to the "Intranet" zone using trusted provider auth and a SharePoint managed certificate called "SharePoint OIDC Site"
+ New-SPWebApplicationExtension -Identity $wa -Name "spsites" -port 443 -HostHeader 'spsites.contoso.local'-AuthenticationProvider $ap -SecureSocketsLayer -UseServerNameIndication -Certificate 'SharePoint OIDC Site' -Zone 'Intranet' -URL 'https://spsites.contoso.local'
+ ```
- 4. Navigate to **System Settings** > **Configure Alternate Access Mappings** > **Alternate Access Mapping Collection**.
- 5. Filter the display with the web application that was extended and confirm that you see the following information:
+ 2. Navigate to **System Settings** > **Configure Alternate Access Mappings** > **Alternate Access Mapping Collection**.
- :::image type="content" source="../media/alternate-access-mapping-collection-2.png" alt-text="Alternate Access Mapping Collection":::
+ 3. Filter the display with the web application that was extended and confirm that you see the following information:
+
+ :::image type="content" source="../media/alternate-access-mapping-collection-2.png" alt-text="Alternate Access Mapping Collection":::
## Step 5: Ensure the web application is configured with SSL certificate
-Since OpenID Connect 1.0 authentication can only work with HTTPS protocol, a certificate must be set on the corresponding web application. Perform the following steps to set a certificate:
+Since OpenID Connect 1.0 authentication can only work with HTTPS protocol, a certificate must be set on the corresponding web application. If you have not already done so, perform the following steps to set a certificate:
- Generate the site certificate:
- > [!NOTE]
- > You may skip this step if you have already generated the certificate.
+ > [!NOTE]
+ > You may skip this step if you have already generated the certificate.
+
+ 1. Open the SharePoint PowerShell console.
- 1. Open the SharePoint PowerShell console.
- 2. Run the following script to generate a self-signed certificate and add it to the SharePoint farm:
+ 2. Run the following script to generate a self-signed certificate and add it to the SharePoint farm:
- ```powershell
- New-SPCertificate -FriendlyName "Contoso SharePoint (2021)" -KeySize 2048 -CommonName spsites.contoso.local -AlternativeNames extranet.contoso.local, onedrive.contoso.local -OrganizationalUnit "Contoso IT Department" -Organization "Contoso" -Locality "Redmond" -State "Washington" -Country "US" -Exportable -HashAlgorithm SHA256 -Path "\\server\fileshare\Contoso SharePoint 2021 Certificate Signing Request.txt"
- Move-SPCertificate -Identity "Contoso SharePoint (2021)" -NewStore EndEntity
- ```
+ ```powershell
+ New-SPCertificate -FriendlyName "Contoso SharePoint (2021)" -KeySize 2048 -CommonName spsites.contoso.local -AlternativeNames extranet.contoso.local, onedrive.contoso.local -OrganizationalUnit "Contoso IT Department" -Organization "Contoso" -Locality "Redmond" -State "Washington" -Country "US" -Exportable -HashAlgorithm SHA256 -Path "\\server\fileshare\Contoso SharePoint 2021 Certificate Signing Request.txt"
+ Move-SPCertificate -Identity "Contoso SharePoint (2021)" -NewStore EndEntity
+ ```
- > [!IMPORTANT]
- > Self-signed certificates are suitable only for test purposes. In production environments, we strongly recommend that you use certificates issued by a certificate authority instead.
+ > [!IMPORTANT]
+ > Self-signed certificates are suitable only for test purposes. In production environments, we strongly recommend that you use certificates issued by a certificate authority instead.
- Set the certificate:
- You can use the following PowerShell cmdlet to assign the certificate to the web application:
+ You can use the following PowerShell cmdlet to assign the certificate to the web application:
- ```powershell
- Set-SPWebApplication -Identity https://spsites.contoso.local -Zone Default -SecureSocketsLayer -Certificate "Contoso SharePoint (2021)"
- ```
+ ```powershell
+ Set-SPWebApplication -Identity https://spsites.contoso.local -Zone Default -SecureSocketsLayer -Certificate "Contoso SharePoint (2021)"
+ ```
## Step 6: Create the site collection
In this step, you create a team site collection with two administrators: One as
11. Go to the account and select **OK**. 12. Select **OK** to create the site collection.
-Once the site collection is created, you will be able to sign-in using either the Windows or the federated site collection administrator account.
+Once the site collection is created, you should be able to sign-in using either the Windows or the federated (AD FS OIDC) site collection administrator account.
## Step 7: Set up People Picker-
-In OIDC authentication, the People Picker doesn't validate the input, which can lead to misspellings or users accidentally selecting the wrong claim type. This can be addressed using the new UPA-backed claim provider in SharePoint Server.
-
-Perform the following steps to help People Picker validate the input using the new UPA-backed claim provider:
-
-### 1. Create a new claim provider
-
-In the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-providers), you've already created an OIDC `SPTrustedIdentityTokenIssuer` by using `New-SPTrustedIdentityTokenIssuer` PowerShell cmdlet. In this step, you'll use the following PowerShell cmdlet to create a claim provider, which uses the User Profile Application service to search and resolve users and groups in the People Picker and specifies to use the OIDC `SPTrustedIdentityTokenIssuer`:
-
- ```powershell
- $claimprovider = New-SPClaimProvider -AssemblyName "Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c" -DisplayName 'OIDC Claim Provider' -Type "Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider" -TrustedTokenIssuer $tokenissuer -Description ΓÇ£OIDC Claim ProviderΓÇ¥ -Default:$false
- ```
-
-Specify the following parameters:
-
-| Parameter | Description |
-||-|
-| AssemblyName | To be specified as `Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, publicKeyToken=71e9bce111e9429c`. |
-| Type | To be specified as `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider` so that this command creates a claim provider, which uses UPA as the claim source. |
-| TrustedTokenIssuer | To be specified as the OIDC `SPTrustedIdentityTokenIssuer` created in the [previous step](#step-3-configure-sharepoint-to-trust-the-identity-providers), which will use this claim provider. This is a new parameter the user needs to provide when the type of the claim provider is `Microsoft.SharePoint.Administration.Claims.SPTrustedBackedByUPAClaimProvider`. |
-| Default | As we've created a claim provider by using this cmdlet, this cmdlet can only work with `SPTrustedIdentityTokenIssuer` and `Default` parameter must be set to false so that it wonΓÇÖt be used by any other authentication method assigned to the web application by default. |
-
-### 2. Connect `SPTrustedIdentityTokenIssuer` with `SPClaimProvider`
-
-In this step, the OIDC `SPTrustedIdentityTokenIssuer` uses the claim provider created in [step 1](#1-create-a-new-claim-provider) for searching and resolving users and groups:
-
- ```powershell
- Set-SPTrustedIdentityTokenIssuer <token issuer name> -ClaimProvider <claim provider object> -IsOpenIDConnect
- ```
-
-Specify the following parameters:
-
-| Parameter | Description |
-||-|
-| token issuer name | The token issuer this People Picker will use. |
-| -ClaimProvider | The `SPClaimProvider`, which will be used to generate claim. |
-| -IsOpenIDConnect | Required when `SPTrustedIdentityTokenIssuer` is OIDC `SPTrustedIdentityTokenIssuer`. Without this parameter, OIDC `SPTrustedIdentityTokenIssuer` configuration will fail. |
-
-An example of this command is:
-
- ```powershell
- $claimprovider = Get-SPClaimProvider -Identity "UPATest"
- Set-SPTrustedIdentityTokenIssuer "ADFS Provider" -ClaimProvider $claimprovider -IsOpenIDConnect
- ```
-
-### 3. Synchronize profiles to user profile service application (UPSA)
-
-Now, customers can start to synchronize profiles into the SharePoint UPSA from the identity provider used in the organization so that the newly created claim provider can work on the correct data set.
-
-There are two ways to synchronize user profiles into the SharePoint UPSA:
--- Create a new SharePoint Active Directory Import (AD Import) connection with **Trusted Claims Provider Authentication** as the **Authentication Provider Type** in the connection setting. To utilize AD Import, see [Manage user profile synchronization in SharePoint Server](/sharepoint/administration/manage-profile-synchronization).-
- :::image type="content" source="../media/add-new-sync-connection-2.png" alt-text="Add New Synchronization Connections":::
--- Use Microsoft Identity Manager (MIM). To utilize MIM, see [Microsoft Identity Manager in SharePoint Servers 2016 and 2019](/sharepoint/administration/microsoft-identity-manager-in-sharepoint-server-2016).
- - There should be two agents inside the MIM Synchronization Service Manager UX after MIM is set up. One agent is used to import user profiles from the source IDP to the MIM database. The other agent is used to export user profiles from the MIM database to the SharePoint UPSA.
-
-During the synchronization, the following three properties must be provided to the UPSA:
--- `SPS-ClaimID`-- `SPS-ClaimProviderID`-- `SPS-ClaimProviderType`-
- 1. `SPS-ClaimID`
-
- During the synchronization, you must pick which unique identity property in the source will be mapped to the `SPS-ClaimID` property in the UPSA. We suggest using **Email** or **User Principal Name** for the `SPS-ClaimID`. The corresponding **IdentifierClaim** value needs to be set when token issuer is created from the [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet.
-
- For AD Import synchronization, **Central Administration > Application Management > Manage service applications > User Profile Service Application > Manage User Properties** will allow administrators to edit the `SPS-ClaimID` to indicate which property in the source identity provider should be synchronized to `SPS-ClaimID`. (The display name of this property is **Claim User Identifier** and it can be customized to other display names by the administrator.) For example, if email is to be used as the `SPS-ClaimID`, **Claim User Identifier** should be set to **Email**.
-
- :::image type="content" source="../media/SPS-ClaimID-1.png" alt-text="SPS-ClaimID":::
- :::image type="content" source="../media/SPS-ClaimID-2.png" alt-text="SPS-ClaimProviderID":::
- :::image type="content" source="../media/SPS-ClaimID-3.png" alt-text="SPS-ClaimProviderType":::
-
- MIM synchronization is done by mapping **Email** or **User Principal Name** to `SPS-ClaimID` in the MIM database to the SharePoint UPSA agent:
- - In the MIM Synchronization Service Manager, select the agent and open the **Configure Attribute Flow**. You can map **mail** to `SPS-ClaimID`.
-
- :::image type="content" source="../media/SPS-ClaimID-4.png" alt-text="SPS-ClaimID4":::
-
- 2. `SPS-ClaimProviderID` and `SPS-ClaimProviderType`
-
- For AD Import synchronization, these properties can be modified in **User Profile Service Application > Configure Synchronization Connections > Create New Connection** when you create a new AD Import synchronization connection.
-
- - `SPS-ClaimProviderID` should be set to the provider name created in [step 1](#1-create-a-new-claim-provider) by the `New-SPClaimProvider` cmdlet.
- - `SPS-ClaimProviderType` should be set to `SPTrustedBackedByUPAClaimProvider`.
-
- For MIM synchronization, these properties can be set in the **Configure Attribute Flow** for the MIM database to SharePoint UPSA agent:
-
- - `SPS-ClaimProviderType` should be set to **Trusted** as Constant type.
- - `SPS-ClaimProviderID` should be set to the provider name created in [step 1](#1-create-a-new-claim-provider) by the `New-SPClaimProvider` cmdlet.
-
- :::image type="content" source="../media/configure-attribute-flow-2.png" alt-text="Configure Attribute Flow":::
-
-### 4. Make groups searchable
-
-Perform the following steps to enable the People Picker control to work with groups:
-
-1. Group object must have a property named `SID` of type `groupid` in the identity provider.
-
- You can create a `ClaimTypeMapping` object by using [New-SPClaimTypeMapping](/powershell/module/sharepoint-server/new-spclaimtypemapping) and then provide this object to [New-SPTrustedIdentityTokenIssuer](/powershell/module/sharepoint-server/new-sptrustedidentitytokenissuer) cmdlet with `-ClaimsMappings` parameter.
-
- ```powershell
- $sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" -IncomingClaimTypeDisplayName "SID" -SameAsIncoming
- $tokenissuer = New-SPTrustedIdentityTokenIssuer -ClaimsMappings $sidClaimMap, $emailClaimMap
- ```
-
- This sample cmdlet first creates a `claimmap` object of type `groupsid` and indicates that it works with the `SID` property of the group and then creates a new identity issuer, which can understand this mapping.
-
-2. Synchronize `SID` property of groups from the identity provider to the `SID` property in UPSA.
- 1. For AD Import synchronization, `SID` will be synchronized automatically without additional setup from the source identity provider to the SharePoint UPSA.
- 2. For MIM synchronization, the property mapping needs to be taken from the identity provider to MIM and then from MIM to the SharePoint UPSA so that MIM can synchronize the group `SID` from the identity provider to the SharePoint UPSA. This is similar to how we do user profile synchronization for the `SPS-ClaimID` property for user profiles.
-
-3. For MIM synchronization, `sAMAccountName` should also be mapped to `accountName` from MIM to the SharePoint UPSA. If it doesnΓÇÖt exist, admin should create mapping pair from `sAMAccountName` to `accountName` in MIM manually.
-
-### 5. Enable fields being searchable in UPSA
-
-To make People Picker work, the final step is to enable fields to be searchable in UPSA.
-
-Users can set which properties are searched by the People Picker by following this sample PowerShell script:
-
- ```powershell
- #Get the property list of UPSA connected with the web application
- $site = $(Get-SPWebApplication $WebApplicationName).Sites[0]
- $context= Get-SPServiceContext $site
- $psm = [Microsoft.Office.Server.UserProfiles.ProfileSubTypeManager]::Get($context)
- $ps =
- $psm.GetProfileSubtype([Microsoft.Office.Server.UserProfiles.ProfileSubtypeManager]::GetDefaultProfileName([Microsoft.Office.Server.UserProfiles.ProfileType]::User))
- $properties = $ps.Properties
-
- #Enable people picker search for property name 'FistName', 'LastName' and 'SPS-ClaimID'
- $PropertyNames = 'FirstName', 'LastName', 'SPS-ClaimID'
- foreach ($p in $PropertyNames) {
- $property = $properties.GetPropertyByName($p)
- if ($property) {
- $property.CoreProperty.IsPeoplePickerSearchable = $true
- $property.CoreProperty.Commit()
- $property.Commit()
- }
- }
- ```
-
+In OIDC authentication, the People Picker doesn't validate the input, which can lead to misspellings or users accidentally selecting the wrong claim type. This can be addressed either by using a Custom Claims Provider, or by using the new UPA-backed claim provider included in SharePoint Server Subscription Edition. To configure a UPA-backed claim provider, see [Enhanced People Picker for modern authentication](/sharepoint/administration/enhanced-people-picker-for-trusted-authentication-method).